[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec SA DELETE in "dangling" implementation



> -----Original Message-----
> From: Slava Kavsan [mailto:bkavsan@ire-ma.com]
> Sent: November 30, 1999 11:46 AM
> To: ipsec
> Subject: IPSec SA DELETE in "dangling" implementation
> 
> 
> Here is the dilemma: if "dangling" implementation wants to 
> send IPSec SA
> DELETE message, while the "parent" IKE SA is no longer there 
> (expired or
> deleted), the alternatives are (and I do not like either of them):
> 
> a) do not send DELETE
> b) re-negotiate IKE SA before sending DELETE
> 
> Any suggestions?
> 
> 
> 

I think you've pretty much captured it. However, b) is
preferable to a).

We might note that if you've re-keyed the phase 2 SA
that you're about to delete, and if you move to the
newest phase 2 SA as soon as possible, the probability
that the phase 1 SA is not there should be low, since
the time difference between a re-key and a delete of a
phase 2 SA is small.

This is probably the most normal of circumstances, so
the situation you describe should not be as common as
needing to re-negotiate phase 1 for the purposes of
re-keying.

Bottom line: attempt b), else a).


Follow-Ups: